- Newest
- Most votes
- Most comments
The security group rule you've provided allows SSH access (port 22) from any IPv4 address (0.0.0.0/0). While this rule will allow you to connect to your instance, it's not considered a best practice from a security standpoint as it exposes your instance to potential unauthorized access attempts from anywhere on the internet.
To improve security while still allowing EC2 Instance Connect to function, you can restrict SSH access to only the EC2 Instance Connect service IP addresses for your specific AWS region. In this case, the recommendation is to use the CIDR block 13.233.177.0/29 instead of 0.0.0.0/0.
Here's how you can modify your security group rule for better security:
- Remove the existing rule that allows SSH from 0.0.0.0/0
- Add a new inbound rule with the following settings:
- Type: SSH
- Protocol: TCP
- Port Range: 22
- Source: 13.233.177.0/29 (EC2 Instance Connect service IP range for your region)
This change will restrict SSH access to only the EC2 Instance Connect service, which should still allow you to connect to your instance using EC2 Instance Connect while improving your security posture.
If you're unable to connect to your instance after making this change, there could be other factors preventing the connection. Some things to check include:
- Ensure your instance has passed its status checks.
- Verify that you're using the correct private key and username for your instance.
- Check if there are any network ACLs or OS-level firewalls (like iptables) blocking the connection.
- Review system logs for any potential issues, such as out-of-memory (OOM) errors.
If you continue to experience connection issues, you may need to investigate further using AWS Systems Manager Session Manager or EC2 Serial Console to troubleshoot the problem.
Sources
Connect to your Linux instance using SSH - Amazon Elastic Compute Cloud
Connect to your Linux instance using EC2 Instance Connect - Amazon Elastic Compute Cloud
Can't connect to Linux instance even after the health status checks pass | AWS re:Post
Connect to a Linux instance using EC2 Instance Connect - Amazon Elastic Compute Cloud
Your security group sounds like it is setup fine.
Is the EC2 instance provisioned in a public subnet, that is a subnet which has an entry in its route table for an Internet Gateway? If you are using a default subnet in the default VPC then these are already setup like this.
If the subnet that the EC2 instance is being provisioned into does not have a route for an Internet Gateway then that is where your problem is. You can either add an Internet Gateway, or if that would breach security practices then consider access through a bastion host, or as suggested in the other answer, using Instance Connect or Session Manager.
Although I am not sure whether "out of the box" Red Hat Linux will work straightaway with either of those.
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago